Data Privacy / International Law

GDPR

Regulation (EU) 2016/679 - General Data Protection Regulation

Legally Required Featured Framework

European Union comprehensive data protection regulation establishing rights for data subjects and obligations for controllers/processors. Applies extraterritorially to organizations targeting or monitoring EU residents.

Executive Summary

GDPR (effective May 25, 2018) establishes 7 data protection principles, 8 data subject rights (information, access, rectification, erasure, restriction, portability, objection, automated decision-making), and comprehensive controller/processor obligations. Enforced by national Data Protection Authorities with administrative fines up to €20 million or 4% of global turnover. Applies to all EU/EEA organizations and non-EU entities targeting or monitoring EU residents (Article 3).

Comprehensive Documentation

General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679

Adopted: April 27, 2016
Effective Date: May 25, 2018
Current Status: Fully applicable and enforced across EU/EEA

Official Sources

  • EUR-Lex Official Text: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

  • European Commission: https://ec.europa.eu/info/law/law-topic/data-protection_en

  • European Data Protection Board: https://www.edpb.europa.eu/


Overview

GDPR is the primary data protection law in the European Union, establishing comprehensive rights for individuals (data subjects) and obligations for organizations (controllers and processors). The regulation applies across all 27 EU Member States and 3 EEA countries, creating unified data protection standards.

Structure

  • 11 Chapters, 99 Articles, 173 Recitals

  • Chapter I: Scope and definitions

  • Chapter II: Principles

  • Chapter III: Rights of data subjects

  • Chapter IV: Controller and processor obligations

  • Chapter V: International data transfers

  • Chapter VI: Independent authorities (DPAs)

  • Chapter VII: Cooperation and consistency

  • Chapter VIII: Remedies, liability, and penalties


Seven Data Protection Principles (Article 5)

1. Lawfulness, Fairness, and Transparency


  • Personal data must be processed lawfully, fairly, and transparently

  • Clear, plain language information required

  • Data subjects must understand how their data is used


2. Purpose Limitation


  • Data collected for specified, explicit, and legitimate purposes

  • Cannot be further processed for incompatible purposes

  • Compatible processing may be allowed under specific conditions


3. Data Minimization


  • Only collect data that is adequate, relevant, and necessary

  • Applies to: collection amount, processing extent, storage period, accessibility

  • Organizations must implement data minimization by default


4. Accuracy


  • Personal data must be accurate and kept up to date

  • Reasonable steps to erase or rectify inaccurate data

  • Procedures to maintain accuracy required


5. Storage Limitation


  • Keep data in identifiable form only as long as necessary

  • Exceptions for archiving, scientific research, historical, statistical purposes

  • Organizations must define retention periods


6. Integrity and Confidentiality


  • Appropriate security ensuring protection against unauthorized processing

  • Protection against accidental loss, destruction, or damage

  • Technical and organizational measures required (Article 32)


7. Accountability


  • Controllers must demonstrate compliance with all principles

  • Maintain records of processing activities (Article 30)

  • Implement appropriate technical and organizational measures

  • Responsibility to prove lawful processing


Eight Data Subject Rights (Articles 12-22)

1. Right to be Informed (Articles 13-14)


  • Clear, transparent information about data processing

  • Information provided at point of collection or within reasonable time

  • Includes: controller identity, purposes, legal basis, recipients, retention, rights


2. Right of Access (Article 15)


  • Confirmation whether personal data is being processed

  • Access to copy of personal data

  • Information about processing operations

  • Response time: Within one calendar month

  • Cost: Free of charge unless manifestly excessive


3. Right to Rectification (Article 16)


  • Correct inaccurate or incomplete personal data

  • Organization must inform third parties of rectification

  • Must be processed without undue delay


4. Right to Erasure / "Right to be Forgotten" (Article 17)


  • Request deletion in specific circumstances:

- Data no longer necessary for original purpose
- Unlawful processing
- Legal obligation to erase
- Withdrawal of consent
- Successful exercise of right to object
  • Exceptions: legal obligation, archiving, research, statistical purposes


5. Right to Restrict Processing (Article 18)


  • Limit how data is used while organization retains it

  • Applied when: accuracy disputed, processing unlawful, data no longer needed but required for legal claim

  • Data retained but processing limited


6. Right to Data Portability (Article 20)


  • Receive personal data in structured, commonly used, machine-readable format

  • Transmit data to another controller without hindrance

  • Applies where: processing based on consent or contract, processing is automated

  • Provided within one month, free of charge


7. Right to Object (Article 21)


  • Object to processing based on legitimate interests or public task

  • Object to direct marketing (automatic granting)

  • Processing must cease unless compelling legitimate interests proven


8. Rights Related to Automated Decision-Making (Article 22)


  • Right not to be subject to decision based solely on automated processing

  • Prohibited where decisions produce legal or similarly significant effects

  • Exceptions: necessary for contract, authorized by law, consent given

  • Rights: human intervention, express views, contest decision


Controller Obligations (Article 24)

Controllers must:

  • Implement appropriate technical and organizational measures ensuring compliance

  • Demonstrate compliance with all GDPR principles

  • Develop data protection policies and procedures

  • Maintain Records of Processing Activities (Article 30)

  • Conduct Data Protection Impact Assessments (DPIA) for high-risk processing (Article 35)

  • Implement Data Protection by Design and by Default (Article 25)

  • Ensure security measures (Article 32)

  • Report data breaches to supervisory authority within 72 hours (Article 33)

  • Notify affected data subjects of breaches (Article 34)

  • Appoint Data Protection Officer (DPO) where required (Articles 37-39)


Processor Responsibilities (Article 28)

Processors must:

  • Only process personal data on documented instructions from controller

  • Ensure personnel committed to confidentiality

  • Implement appropriate technical and organizational security measures

  • Assist controller with data subject rights requests

  • Assist controller with GDPR compliance obligations

  • Delete or return personal data after service ends

  • Allow audits and inspections by controller and supervisory authorities

  • Notify controller of personal data breaches

  • Use only authorized sub-processors with prior controller approval

  • Execute written contracts with controllers


Security of Processing (Article 32)

Technical and organizational measures must ensure:

  • Pseudonymization and encryption of personal data

  • Ongoing confidentiality, integrity, availability

  • Rapid restoration of data availability in case of incidents

  • Regular testing of security measures

  • Protection against accidental or unlawful destruction

  • Protection against loss, alteration, unauthorized disclosure or access

  • Measures appropriate to risk (considering nature, scope, context, purposes)

  • State of the art and cost considerations


Data Breach Notification (Articles 33-34)

Controllers must:

  • Notify supervisory authority without undue delay (within 72 hours where feasible)

  • Notify affected data subjects where high risk to their rights/freedoms

  • Include in notification: nature of breach, likely consequences, measures taken/proposed


Processors must:

  • Notify controller without undue delay upon discovering breach


Territorial Scope (Article 3) - Extraterritorial Reach

Criterion 1: Establishment (Article 3(1))


  • Applies to organizations established in EU/EEA regardless of where data is processed

  • Includes EU subsidiaries of non-EU companies


Criterion 2: Targeting/Monitoring (Article 3(2))


  • Applies to non-EU organizations processing data of EU residents when:

- Offering goods or services to EU data subjects (targeting EU market)
- Monitoring behavior of EU data subjects (tracking, profiling, location)
- Regardless of whether payment is required
- Includes free services

Consequence - Representative Requirement (Article 27):

  • Non-EU controllers/processors falling under Article 3(2) must designate representative in EU

  • Representative established in Member State where data subjects are located

  • Simplifies enforcement against foreign organizations


Enforcement - Data Protection Authorities

European Data Protection Board (EDPB)


  • Independent European body coordinating DPAs

  • https://www.edpb.europa.eu/

  • Publishes guidelines and recommendations

  • Ensures consistent GDPR application

  • Resolves disputes between DPAs


National Data Protection Authorities (DPAs)


  • Each EU/EEA country has independent DPA

  • Examples: CNIL (France), BfDI (Germany), ICO (UK), AEPD (Spain), DPA Ireland


DPA Powers (Article 58):

Investigative Powers:

  • Request information from organizations

  • Access premises and examine documents

  • Conduct data protection audits

  • Obtain copies of personal data


Corrective Powers:
  • Issue warnings and reprimands

  • Order controller to comply with rights

  • Impose bans on processing

  • Order deletion of data

  • Suspend data transfers

  • Impose administrative fines (Article 83)


Administrative Fines (Article 83)

Two-Tier Fine System

Tier 1 (Less Severe Violations):

  • Up to EUR 10,000,000, OR

  • Up to 2% of annual worldwide turnover (whichever is higher)

  • Applies to violations of: Articles 5, 6, 13, 14, and other provisions


Tier 2 (Severe Violations):
  • Up to EUR 20,000,000, OR

  • Up to 4% of annual worldwide turnover (whichever is higher)

  • Applies to violations of: Article 5(1) principles, Article 6 lawfulness, Articles 9-10 special categories, Articles 12-22 data subject rights, Articles 25-39 controller/processor obligations


Calculation of "Worldwide Turnover"


  • Calculated from preceding financial year

  • For companies: total annual turnover

  • For group entities: aggregate turnover of parent and subsidiaries

  • For non-profits: operating budget equivalent


Factors Determining Fine Amount (Article 83(2))


  • Nature, gravity, and duration of infringement

  • Intentional or negligent character

  • Actions taken to mitigate damage

  • Previous infringements history

  • Degree of cooperation with DPA

  • Categories of personal data affected

  • Legal remedies exercised by data subjects


Requirements


  • Fines must be effective, proportionate, and dissuasive

  • Applied in each individual case

  • May be in addition to or instead of other corrective measures

  • Subject to judicial review


Recent Enforcement


  • GDPR has resulted in fines exceeding EUR 3 billion cumulatively

  • Largest fines: Meta (EUR 1.2 billion), Amazon (EUR 746 million)

  • Demonstrates active enforcement by DPAs


Massachusetts/US Companies - GDPR Applicability

GDPR applies to Massachusetts organizations if they:

1. Have EU Establishment


  • Office, subsidiary, or branch in EU

  • Employ staff in EU

  • Conduct EU-focused business operations

  • Entire organization subject to GDPR regardless of Massachusetts location


2. Target EU Market (Article 3(2))


  • Offer goods/services to EU residents (even free services)

  • Market to EU customers

  • Conduct business in EU languages/currencies

  • Ship to EU addresses

  • Include EU residents in target audience


3. Monitor EU Residents


  • Behavioral tracking of EU individuals

  • Profiling for targeted advertising

  • Analytics of EU user behavior

  • Location tracking of EU individuals

  • Biometric monitoring of EU residents


Practical Example: Massachusetts-based SaaS company offering free web analytics to European websites must comply with GDPR because it offers services targeting EU market, processes EU personal data, and falls under Article 3(2).

Data Transfer Framework


  • US organizations receiving EU personal data must comply with EU-US Data Privacy Framework

  • Alternative: Standard Contractual Clauses (SCCs)

  • Current adequacy decision exists for DPF participants

  • Non-compliant transfers prohibited


Key Point: Under Article 3(2), GDPR applies to Massachusetts entities regardless of physical location, so long as they process EU personal data or target EU market.

Compliance Summary















RequirementDetails
----------------------
Regulation(EU) 2016/679
Effective DateMay 25, 2018
Principles7 core principles (Article 5)
Data Subject Rights8 fundamental rights (Articles 12-22)
Response Time1 month for most requests
Breach Notification72 hours to DPA
Maximum Fine Tier 1EUR 10M or 2% turnover
Maximum Fine Tier 2EUR 20M or 4% turnover
EnforcementNational DPAs + EDPB coordination
Territorial ScopeAll EU/EEA + non-EU targeting EU
RepresentativeRequired for non-EU entities (Article 27)
DPO RequiredPublic authorities, large-scale monitoring, special categories

Applicable Industries

All IndustriesTechnology and SoftwareHealthcareFinancial ServicesRetail and E-commerceEducationTelecommunicationsMedia and EntertainmentProfessional ServicesManufacturingGovernment and Public Sector

Company Size

Applies to all organizations (controllers and processors) regardless of size if they: (1) are established in EU/EEA, OR (2) target or monitor EU residents. Small businesses and startups included. No revenue or employee thresholds.

Effective Date

5/25/2018

Penalties for Non-Compliance

Administrative fines up to EUR 20 million or 4% of annual worldwide turnover (whichever is higher) for severe violations. EUR 10 million or 2% turnover for less severe violations. Additional remedies: processing bans, data deletion orders, suspension of data transfers. Must be effective, proportionate, and dissuasive.

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

Applicable Massachusetts Industries

All Industries
Technology and SoftwareHealthcareFinancial ServicesRetail and E-commerceEducation
Telecommunications
Media and Entertainment
Professional ServicesManufacturing
Government and Public Sector
View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

Additional Official Sources

Enforcement Agency

National Data Protection Authorities (DPAs) coordinated by European Data Protection Board (EDPB)